Important: This policy is a transparency document. It does not constitute legal advice to you, and it does not on its own create contractual rights beyond what applicable law provides. If you require bespoke documentation (for example a data processing agreement for a specific engagement), please contact us.
1. Definitions and interpretation
In this policy, unless the context requires otherwise:
- Personal data has the meaning given in the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), read with the Data Protection Act 2018 (“DPA 2018”);
- Processing has the meaning given in the UK GDPR;
- Website means the public website operated by us at olliditton.com (or such other domain as we use from time to time);
- We / us / our means Olli Ditton;
- You means the individual visitor or, where applicable, the organisation on whose behalf you act.
Headings are for convenience only and do not affect interpretation. References to statutes or statutory provisions include those statutes or provisions as amended, extended, consolidated, re-enacted, or replaced from time to time. Words in the singular include the plural and vice versa.
2. Who we are (controller details)
We are the data controller in respect of personal data collected through the Website as described in this policy.
Contact (privacy and data protection): hello@olliditton.com. Correspondence address: London, United Kingdom (as published on the Website). If you are making a rights request, we may ask for reasonable information to verify identity before responding.
3. Scope and relationship to other documents
This policy applies to personal data collected through the Website and related online enquiry flows. It does not replace or override the terms of any separate recruitment mandate, engagement letter, statement of work, or written agreement between you (or your organisation) and us, where those documents address data protection expressly or by necessary implication.
Where this policy refers to our Cookie policy or Website terms of use, those documents should be read alongside this policy.
4. What personal data we collect
4.1 Website enquiries (forms)
Depending on which form you use, we may collect:
- Employer route: company name, your name, work email, role you are hiring for, free-text brief, and any optional fields shown on the form at the time of submission;
- Candidate route: full name, email, phone, target role, free-text experience or profile details, and any optional fields shown on the form.
We also record technical metadata generated by our systems (for example timestamps and internal identifiers) when a form is submitted. You warrant that information you submit is accurate to the best of your knowledge and that you have authority to submit it.
4.2 Testimonials on the Website
If we publish feedback on the site, we do so only following our internal review and with wording and attribution agreed for public display. Published testimonials are intended to show quotes and attribution labels only - not your full original message, email address, or telephone number, unless you have expressly agreed otherwise in writing.
4.3 Browsing and technical logs
Our hosting and application environment may process standard server information such as IP address, user agent, request path, and error logs. We use this for security, debugging, service operation, and establishing facts in the event of misuse or disputes.
4.4 Staff accounts (administrative workspace)
Authorised staff may sign in to a protected workspace. We process account identifiers (such as email) and authentication data required for access control, security, and audit logging. That environment is not part of the public Website; access is restricted.
4.5 Analytics and measurement (e.g. Google Analytics 4)
Where you have opted in through our cookie controls, we may use Google Analytics 4 (or a comparable tool) to understand how visitors use the Website - for example which pages are viewed, how you arrived at the site, approximate location derived from IP address (often at city or region level), device and browser type, scroll depth, and events we configure (such as successful form submissions). This processing typically involves cookies or similar identifiers placed on your device.
Google Ireland Limited or Google LLC (depending on product configuration) acts primarily as our processor for GA4 data, subject to Google’s terms and privacy documentation. Further information: Google Privacy Policy. Reports we receive are typically aggregated or pseudonymous and do not on their own identify you unless you have also submitted a form or otherwise identified yourself to us.
4.6 Digital advertising (e.g. Google Ads)
Where you have opted in to marketing or advertising cookies or similar technologies, we may use Google Ads (including search, display, remarketing, conversion tracking, and related features). That may involve Google setting or reading cookies, associating activity with your Google account if you are signed in to Google and have ad personalisation enabled, measuring ad impressions and clicks, and attributing conversions when you later engage with our site.
We do not receive from Google the identities of casual website visitors who have not contacted us. Advertising auctions, pricing, and platform policies are governed by Google’s separate terms with advertisers and, where applicable, with you as a user of Google services.
4.7 Files, CVs, and attachments
Where the Website allows file uploads (for example a CV or portfolio), we process the file and its contents for recruitment purposes, virus and malware screening where technically appropriate, storage on our systems or those of our processors, and onward transmission only as needed to progress your enquiry or mandate. Filenames and metadata may also be processed. You should not upload files containing malware or unrelated confidential third-party data.
5. Purposes and lawful bases
We process personal data on the following lawful bases under the UK GDPR and DPA 2018:
- Performance of a contract or steps prior to entering a contract: responding to hiring enquiries and candidate applications, and progressing recruitment discussions where you ask us to;
- Legitimate interests: operating and securing the Website, improving our services, internal record-keeping, defending legal claims, and (where permitted) publishing agreed or anonymised testimonial content. We consider and balance our interests against your rights and freedoms, and you may object to processing based on legitimate interests where the law allows;
- Consent: where we rely on consent - including the tick-box on our enquiry forms, your written agreement to display a testimonial, and (where required) consent for non-essential analytics and for advertising or marketing cookies via our cookie banner - you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal may not fully erase data already transmitted to third-party platforms; see our Cookie policy;
- Legal obligation: where we must retain or disclose information to comply with law, regulation, court order, or a competent regulatory request.
6. Evidence of consent (cookie banner)
Where the law requires consent for optional technologies, we record your choice (including a timestamp and version identifier) using first-party storage in your browser (see the Cookie policy). That record is used to demonstrate what was selected on that device and browser. It is not a substitute for your separate contractual consents where those are required for recruitment services.
7. Retention
We retain enquiry and recruitment-related records for as long as needed to fulfil the purposes in section 5, including managing relationships, defending legal claims, and meeting regulatory expectations for recruitment businesses. Unless a shorter period is required by law, typical retention for enquiry records is up to 24-36 months after last meaningful contact, after which we delete or anonymise them unless we must keep them longer (for example an open dispute or regulatory investigation).
Server logs are kept for a shorter operational window unless extended retention is justified for security investigations.
Where Google Analytics or Google Ads is used, retention inside those platforms is governed by Google’s settings and policies and by configuration choices we apply (for example GA4 data retention settings).
8. Processors, sub-processors, and sharing
We do not sell your personal data. We may share it with:
- Service providers who host our site, store data, or provide IT security, acting as processors under written terms where required by law or good practice;
- Google (Google LLC, Google Ireland Limited, and affiliates) when you have consented to analytics and/or advertising tools - for measurement, reporting, fraud prevention, and ad delivery as described in sections 4.5-4.6;
- Professional advisers (for example lawyers or accountants) under professional duties of confidentiality;
- Authorities when required by law.
We may appoint sub-processors to assist processors. Where we control that relationship, we impose data protection obligations consistent with our own. A list of key categories of processors is available on request to serious enquirers; we do not undertake to provide real-time sub-processor registers on the public Website unless we agree otherwise in writing.
Third-party scripts (for example analytics or advertising tools, when you have opted in) may receive technical data (such as IP address) when they run; see the Cookie policy.
9. International transfers
Our primary systems are operated from the United Kingdom. If we use suppliers outside the UK or EEA (including Google services that may process data in the United States and other jurisdictions), we will implement appropriate safeguards recognised under UK law, such as the UK International Data Transfer Agreement or Addendum to the EU Commission Standard Contractual Clauses, together with supplementary measures where appropriate.
10. Security
We implement technical and organisational measures appropriate to the risk, including access controls, role-based permissions for staff, logging of administrative actions where proportionate, and encryption in transit where standard for web services. No transmission or storage is completely secure. You should not submit special-category (“sensitive”) personal data or criminal offence data through the Website unless we have expressly requested it and put in place appropriate safeguards.
11. Automated decision-making and profiling
We do not use Google Analytics or Google Ads to make solely automated decisions about you that produce legal or similarly significant effects within the meaning of the UK GDPR. Third-party platforms may personalise advertising using their own logic; you may manage ad personalisation through your Google account and browser settings.
12. Your rights
Subject to applicable law, you may have the right to request access to your personal data, to request rectification of inaccurate data, to request erasure in certain circumstances, to request restriction of processing, to object to processing based on legitimate interests (where applicable), and (in limited circumstances) data portability. You also have the right to withdraw consent at any time where processing is based on consent.
You may lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk. We encourage you to contact us first so we can try to resolve the matter.
To exercise rights, email hello@olliditton.com. We may need to verify your identity. We will respond within the statutory timeframe (normally one month, subject to permitted extensions).
13. Children
Our services are aimed at professionals and organisations. We do not knowingly collect personal data from children under 16 through the Website. If you believe we have done so, please contact us promptly.
14. Changes to this policy
We may update this policy to reflect changes in law, our practices, or our suppliers. The “Last updated” date will change accordingly. Where we materially reduce your rights or materially expand optional tracking, we will take reasonable steps to obtain fresh consent where the law requires (for example by invalidating prior cookie consent version flags).
15. Third-party rights
Unless expressly stated, nothing in this policy confers any enforceable benefit on any person who is not a party to any separate contract with us, under the Contracts (Rights of Third Parties) Act 1999 or otherwise.
16. Survival
Provisions which by their nature are intended to survive (including limitations, governing law references in linked terms, and audit-relevant retention where applicable) shall continue in force to the extent enforceable after our relationship with you in respect of the Website ends.
17. Personal data breaches
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will assess the incident, take containment and remediation steps, and notify the Information Commissioner’s Office and (where required) affected individuals without undue delay in line with UK GDPR Articles 33–34 and applicable provisions of the DPA 2018. Where we process personal data solely as a processor for another controller (for example under a client mandate), primary responsibility for regulatory notifications may sit with that controller subject to our contractual obligations.
18. Data minimisation and accuracy
We aim to collect personal data that is adequate, relevant, and limited to what is necessary for the purposes in section 5. You should notify us promptly of material changes (for example a new email address) so we can keep records accurate. This supplements the accuracy warranty in section 4.
19. Special category and criminal offence data in recruitment materials
CVs and free-text fields may include special category personal data (such as health information) or information about criminal allegations or convictions if you choose to disclose it. You should only include what is genuinely relevant. Where we process such data for recruitment or employment purposes, we rely on the lawful bases in section 5 together with applicable conditions in UK GDPR Article 9 and Schedule 1 to the DPA 2018 (including, where appropriate, processing necessary for the purposes of performing obligations or exercising rights in employment law).
20. ICO fee and supervisory authority
Where we are required to pay the data protection fee and appear on the register of data controllers maintained by the Information Commissioner’s Office, we maintain that obligation. The ICO remains the relevant UK supervisory authority for complaints as referenced in section 12.
For data processing agreements, international transfer impact assessments, or processor due diligence questionnaires, contact us at hello@olliditton.com with your entity details, jurisdiction, and scope of processing.